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Abstract 


We define an algebraic theory of hierarchical graphs, whose axioms 
characterise graph isomorphism: two terms are equated exactly when 
they represent the same graph. Our algebra can be understood as 
a high-level language for describing graphs with a node-sharing, em- 
bedding structure, and it is then well suited for defining graphical 
representations of software models where nesting and linking are key 
aspects. In particular, we propose the use of our graph formalism as a 
convenient way to describe configurations in process calculi equipped 
with inherently hierarchical features such as sessions, locations, trans- 
actions, membranes or ambients. The graph syntax can be seen as an 
intermediate representation language, that facilitates the encodings of 
algebraic specifications, since it provides primitives for nesting, name 
restriction and parallel composition. In addition, proving soundness 
and correctness of an encoding (i.e. proving that structurally equivalent 
processes are mapped to isomorphic graphs) becomes easier as it can 
be done by induction over the graph syntax. 
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1 Introduction 


As witnessed by a vast literature, graphs offer a convenient ground for the 
specification and analysis of software systems. As an example, the use 
of graphs as a suitable domain for the visualisation of a system specified 
by algebraic means is pursued in various proposals, based on traditional 
Graph Transformation [18], Bigraphical Reactive Systems [23], Synchronized 
Hyperedge Replacement [17] and Membrane Systems [25, 26], just to cite a 
few of the most prominent examples. 

Despite their expressiveness and flexibility, the use of these formalisms to 
build a graphical representation for an existing specification language involves 
the major challenge of encoding system configurations (states), guaranteeing 
that structural equivalence is preserved: any two equivalent configurations 
P and Q are mapped into isomorphic graphs [P] and [Q]. Preserving 
structural equivalence has several advantages. It offers an intuitive normal 
form representation for systems, and it allows to reuse results and techniques 
from graph theory for solving specific problems: for example, checking 
structural equivalence by the use of algorithms for testing graph isomorphism. 
In particular, the soundness of the encoding is necessary to use graph 
transformation approaches [13] to model dynamic aspects like operational 
semantics, reconfigurations, refactorings or model transformations since 
(sub)graph isomorphism is at the base of the rule matching mechanism. 

When configurations P are specified by using an algebraic syntax (e.g. as 
in process calculi), their encoding [P] can be driven by their (term) structure 
by defining it inductively. In the absence of an algebraic presentation for the 
language under consideration, an ad-hoc algebraic syntax must be developed 
if one wants to benefit from compositionality and structural induction 
in proofs, transformations or definitions. Still, most graph models are 
defined set-theoretically: most often, they are not equipped with a natural 
algebraic syntax and the existing ones require advanced skills to deal with 
sophisticated models involving ad-hoc definitions of graphs with interfaces 
(e.g. [18]) or complex type systems (e.g. [9]), or representing hierarchies 
as trees (e.g. [19, 23]), hampering definitions and proofs. Moreover, one 
encounters a severe drawback: namely, the syntax of those graph formalisms 
are often very different from the source language and they are not provided 
with suitable primitives to deal with features that commonly arise in algebraic 
specifications, like names (e.g. references, channels), name restrictions (e.g. 
hiding, nonce generation) or hierarchical aspects (e.g. ambients, scopes) in 
the case of process calculi. Summarising all the above, the representation 
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distance from the syntax of configurations with respect to the syntax of 
encoding graphs complicates 7) the definition of the encoding; 77) its proof of 
correctness; and 7i7) its reuse when slightly different algebras of configurations 
or kinds of graphs are considered. 

Our idea is to distill a sort of standard intermediate language between 
those used for specifying system configurations and those available for graph 
formalisms, where some essential first-class concepts are suitably represented 
and built-in so that a) a standard encoding from the intermediate syntax 
to the graph models and its correctness are established once and for all; 
b) the representation distance from system configurations to the intermediate 
syntax is considerably reduced; and c) the encoding of system configurations 
is then factorised via the intermediate language. The main advantage is that 
the definition of the encoding (and the proof of its correctness) are carried 
out more conveniently at the algebraic level. 

We have decided to base our intermediate language on two key structural 
aspects that are arise repeatedly in system specifications, namely nesting 
and linking. Consider for instance the structure of file systems, composite 
diagrams, networks, membranes, sessions, transactions, locations, structured 
state machines or XML files. Various graphical models of nesting and sharing 
structures already exist but (as we claim in § 9) none of them offer a simple, 
intuitive syntax. Identifying the right structure is fundamental to enjoy 
scalability. In particular, nesting plays a fundamental role for abstracting 
the complexity of a system by offering different views at different levels of 
detail, based on the nesting depth. 

This paper describes our proposal for addressing those challenges. The 
work presented here is the full version of two conference papers [5, 4], 
extended with the proofs of the main results and two original encodings. 
Below we clarify the sources of content in better detail while explaining the 
structure of the paper. 

In [4], we have introduced a formalism made of an algebra (§ 2) for 
a model of hierarchical graphs (§ 3) to fill the gap between the different 
levels of abstraction at which algebraic specifications of software systems and 
graphical structures reside. The algebra enjoys primitives for dealing with 
names, restriction, parallel composition and, most importantly, nesting in 
the same way as they are used in process calculi. In particular, the nesting 
mechanism allows for easily defining graphical presentations of inherently 
hierarchical aspects such as locations, membranes, ambients, transactions 
or sessions, and it is equipped with a sound and complete set of axioms 
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equating two terms whenever they represent isomorphic graphs (§ 4). Besides 
facilitating the visual specification of configurations, we argue that definitions, 
transformations and proofs by induction are made easier by the algebraic 
structure of configurations and graphs. 

In [5] we have validated the above idea by using our graph algebra 
to encode the configurations of two (process) calculi with service-inherent 
features that have a certain hierarchical nature such as sessions, transactions 
or locations: the first one is a simple workflow language, vaguely reminiscent 
of BPEL; the second example concerns a sophisticated calculus for the 
description of service-oriented applications, namely, CaSPiS [1] (see § 7), 
whose features pose further challenges to visualisation, due to the interplay 
of name handling, nested sessions and a pipeline operator. This paper 
extends [5] with the proof of the correspondence result for CaSPiS (§ 7), 
preceded by two novel encodings: § 5 shows the encoding of the best-known 
nominal calculus, namely the 7-calculus [22] and § 6 focuses on a calculus 
for transactions called sagas [8]. Each example illustrates the treatment of 
linking, nesting and their combination, respectively. We remark that the 
technique we propose can be transferred to other calculi as well, as witnessed 
by other available encodings mentioned in 8 9. 


2 An algebra of hierarchical graphs 


We introduce here our algebra of (typed) hierarchical graphs that we call 
designs. ‘The algebraic presentation of designs has emerged during our 
studies on Architectural Design Rewriting [7| (hence the name) and has been 
inspired by the graph algebra of CHARM [12]. 


Definition 1 (design) A design is a term of sort D generated by 


c= Gl 
Go s= O| « | lZ% | GIG | (w)G | D&) 


where | and L are drawn from alphabet E and D of edge and design labels, 
respectively, x is taken from a set N of nodes and % € N* is a list of nodes. 


The algebraic reading is as usual, where each syntactical category and 
vocabulary is considered as a sort and productions are read as functions. This 
allows us, for instance, to consider open terms (i.e. terms with typed vari- 
ables): they are useful for defining encodings by means of derived operators, 
as we shall see in § 5, § 6 and 8 7. 
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As a matter of notation, we let |%| denote the set of elements of a list 
Z; we also overload | - | in order to let it denote either the length of a list or 
the cardinality of a set. 

Terms generated by G and D are meant to represent (possibly hier- 
archical) graphs and “edge-encapsulated” hierarchical graphs, respectively. 
The syntax has the following informal meaning: O represents the empty 
graph, x is a discrete graph containing node zx only, /(Z) is a graph formed 
by an I-labeled (hyper)edge attached to nodes Z (the i-th tentacle to the 
i-th node in %, sometimes denoted by Z[?]), G | H is the graph resulting 
from the parallel composition of graphs G and H (their disjoint union up to 
shared nodes), (vx)G is the graph G after making node «x not visible from 
the outside (borrowing nominal calculus jargon we say that the node = is 
restricted), and D(Z) is a graph formed by attaching design D to nodes & 
(the i-th node in the interface of D to the i-th node in 7). 

A term Lz|G] is a design labeled by L, with body graph G whose nodes 
Z are exposed in the interface. To clarify the exact role of the interface 
of a design, we can use a programming metaphor: a design Lz|G] is like a 
procedure declaration where Z is the list of formal parameters. Then, term 
Lz|G](y) represents the application of the procedure to the list of actual 
parameters ¥; of course, in this case the length of % and ¥ must be equal 
(more precisely, the applicability of a design to a list of nodes must satisfy 
other requirements to be detailed later in the definition of well-formedness). 

Restriction (vx)G acts as a binder for x in G and similarly Lz[G] binds 
|z| in G, leading to the usual (inductively defined) notion of free nodes fn(-) 


Definition 2 (free nodes) The free nodes of a design or a graph are de- 
noted by the function fn(-), defined as follows 


fn(0) = 0 fn(z) = & 
fn(\(z)) = [2] fn(G@|H) = fr(G)U fn) 
ae = fn(G) \ {x} fn(D(z)) = fn(D)U |e] 
fn(Lz|G]) = fr(G)\ [2] 


The following example offers a first intuition of the algebra and the 
model of hierarchical graphs. For this purpose we offer an informal, appealing 
visual notation. The formal underlying graphs are introduced in § 3. 


Example 1. For simplicity, in this example we consider hyperedges that 
have two tentacles each, but this is not a restriction we shall enforce and in 
fact we will consider more general cases in the rest of the paper. Let a,b € €, 
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ay H = (vw)G 


G = a(u,w) | b(w, v) 


u w 
(3) 
oO 3 J >O { } >O 


(vw)(Au,v[G] (x, y) 


Ain [G] (Y, x)) 


Figure 1: Some terms of the graph algebra 


AED, u,v,w,2,y € N. We write and depict in Figure 1 some terms of our 
algebra. Nodes are represented by circles, edges by small rounded boxes, 
and designs by large shaded boxes with a top bar. The first tentacle of an 
edge is represented by a plain arrow with no head, while the second one is 
denoted by a normal arrow. If a node is exposed in the interface we put it 
on the outermost layer and overlap the edges of the various layers denoting 
this with black boxes on design borders. In the particular examples only 
free nodes are annotated with their identities. Note that this representation 
is informal to give a first intuition of our model of hierarchical graphs. Next 
section offers the formal representation of the rightmost term. 


In practice, it is very frequent that one is interested in disciplining the 
use of edge and design labels so to be attached only to a specific number of 
nodes (possibly of specific sorts) or to contain graphs of a specific topology. 
To this aim it is typically the case that: 1) nodes are sorted, in which case 
their labels take the form n:s for n the name and s the sort of the node; 2) 
each label of € and D has a fixed arity and for each rank a fixed node sort; 3) 
designs can be partitioned according to their top-level labels (i.e. the set of 
design labels D can be seen as the set of sorts, with a membership predicate 
: L that holds whenever D = Lz|G] for some and G). When this is the 
case, we say that a design (or a graph) is well-typed if for each sub-term 
Lz|G] we have that the (lists of) sorts of Z and L coincide, and similarly 
for sub-terms D(z) and [(x). From now on, we restrict our attention to 
well-formed designs. 
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Definition 3 (well-formedness) A design or graph is well-formed if 
1. it is well-typed; 
2. for each occurrence of design Lz|G] we have |X| C fn(G); 


3. for each occurrence of graph Lz|G](¥), the substitution ¥/z induces a 
bijection. 


Intuitively, the restriction on the mapping ¥/z allows Z to account for 
matching and mismatching of nodes in the interface: distinct nodes in ¥ 
must correspond to distinct nodes in %, and if the list % contain repetitions, 
then all the occurrences of the same node x in ¥ must correspond to the 
same node y in ¥, and vice versa. 

In order to have a notion of syntactically equivalent designs (i.e. to 
consider designs up to isomorphism), the algebra includes the structural 
graph axioms of [12] such as associativity and commutativity for | (with 
identity 0) and node restriction (respectively, axioms DA1—DA3 and DA4— 
DA6). In addition, it includes axioms to a-rename bound nodes (DA7—DA8), 
an axiom for making immaterial the addition of a node x to a graph where 
x is already free (DA9) and another one that makes sure global names are 
not localized inside designs (DA10). 


Definition 4 (design axioms) The structural congruence for well-formed 
designs and graphs =p is the least congruence satisfying 


G|H = H|G (DA1) 
G|(H|1) = (G|H)|I (DA2) 
Gjo =G (DA3) 
(va)\(vy)JG = (vy)(v2)G (DA4) 
(vx)0 = O (DA5) 
G|(ve)H = (vx)\(G|H) tifa ¢ fr(G) (DA6) 
IalG] = IglG{/z}) if lylmfn(G)=0 (DA) 
(va)JG = (vy)G{4/x} ify ¢ frn(G) (DA8) 
zr|G = G if x € fn(G) (DAQ9) 
Le[z|G]y) = z|Le[G]y) ifz¢ |e] (DA10) 


where in axiom (DA7) the substitution is required to be a bijection (to avoid 
node coalescing) and to respect the typing (to preserve well-formedness). 
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Note that =p respects free nodes: G =p H implies fn(G) = fn(H). 
Being =p a congruence, we remark that Lz|G] =p Lz{H] whenever G =p H. 

One important aspect of our algebra is that it allows the derivation of 
standard representatives for the equivalence classes induced by =p. 


Definition 5 (Normalized form) A term G is in normalized form if it 
is O or it has the shape (for somen+m+p+q>1, nodes x; and zp, and 
edges Ip (0p) and Ly [Gi] (wi)) 


(vari)... (Vam)( 21 | «-- | 2m | lr) |---| lp) | Ly, [Gi](Wi) | --. | LG, [Gq] (Hq) ) 


where all terms G; are themselves in normalized form, all nodes x; are pair- 
wise distinct, all nodes zz are pairwise distinct and letting X = {11,...,%m} 
and Z = {z1,...,2n} we have X C Z, fn(G) = Z\ X and fn( Li [Gi)) = 
for alli =1...q. 


Proposition 1 Any term G admits a =p-equivalent term norm(G) in nor- 
malized form. 


Proof: We proceed by structural induction. For the base cases we have 
that O and x already in normalized form and the single-edged graph I(Z) can 
be put in normalized form by exploiting DA9 to add in parallel composition 
the nodes in |%|. For the inductive cases, assume norm(G) and norm(H) 
are the normalized forms of G and H respectively. The normalized form of 
the graph (vx)G is (vx)norm(G) if x € fn(G), otherwise it is just norm(G), 
because (vx)G =p (vx)(G | 0) =p G | (vz)0 =p G | 0 =p G (by axioms 
DA3, DA6 and DAS). For the last two cases, we introduce the notation 
normsat(G, Y), where Y is a set of nodes, to denote the term obtained by 
saturating norm(G) by the parallel composition of the nodes in Y. This can 
be straightforwardly defined by: 1) alpha-converting all the bound names 
appearing in norm(G) so to be all different from the names in Y (this is 
achieved by axioms DA7 and DA8); 2) put G in parallel with Y, where Y 
is the parallel composition of all names in Y \ fn(G); 3) exploit axiom DA9 
to create as many duplicates of Y as the top-level design edges appearing 
in norm(G); 4) exploit axioms DA1, DA2 and DA6 to place one copy of 
Y right after the top-level restrictions and the other copies of Y nearby 
each top-level design edge; 5) exploit axiom DA10 to move the copies of Y 
inside their adjacent design edges and then apply iteratively this procedure 
(from step 2) to their content. Then, the normalized form of Lz|G](%) is 
Z | Lz|normsat(G, Y)|(y), where Y = |y| \ fn(Lz[G]) and Z is the paral- 
lel composition of nodes in |¥| U fn(Lz[G]) (the equivalence is proved by 
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Figure 2: An algebra of graph sequences. 


applying axioms DA9 and DA10 repeatedly). Finally, the normalized form 
of G | H is obtained by: 1) taking normsat(G,Y) | normsat(H, Z), where 
Y = fn(H) \ fn(G) and Z = fn(G) \ fn(H); 2) alpha-converting all the 
top-level restricted names appearing in normsat(H, Z) so to be all different 
from the bound names in normsat(G, Y) and then group all such top-level 
restrictions to the left; 3) rearrange the term using axioms DA1 and DA2 to 
group similar items (nodes, edges and design edges); 4) exploit axiom DAY 
to remove duplicate top-level nodes. 


Roughly, in norm(G) the top-level restrictions are grouped to the left, 
and all the global names z, are made explicit and propagated inside each 
single component i [G,](W;). Up to a-renaming and to nodes and edges 
permutation, the normalized form can be proved to be unique. 

We call a graph flat whenever there is no design in its body. Sometimes, 
we impose the flattening property on the graph algebra by an axiom schema, 
implicitly removing (by performing some kind of hyper-edge replacement [15]) 
those edges satisfying a specific membership predicate. 


Definition 6 (flattening axiom) A flattening axiom flat_ for some design 
label L is of the form Lz{G](y) = G{¥/z}. 


In the next example we see how flattening is fundamental in order 
to characterise classes of graphs by means of derived operators. Indeed, 
flattening is used in all three encoding examples (see § 5, 6 and § 7) where 
some design labels will be used just for the sake of composing various classes 
of processes and not really to build scopes. 


Example 2. Suppose that we want to characterise the set A of a-labelled, 

acyclic, and connected sequences (see Example 1). We can define an algebra 

with an element a :— A in the sequence, and a binary sequential composition 
def 


.,-: Ax A— A. Both are derived operators defined by a= Ay,y[a(u, v)| 
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xO {a } O {a ] O {a } Oy 


Figure 3: Sequence composition without (top) and with flattening (bottom). 


and X;Y © A,»[(vw)(X(u,w) | Y(w,v))], where X and Y have type A. 
The graphical representation of both operators is visualised in Figure 2. We 
put the operator declaration on the top bar of the outermost design and we 
annotate the variables with their names and types. Note that, implicitly, the 
type of the outermost box is the type returned by the operation. Clearly, the 
algebra as such constructs hierarchical sequences, where e.g. (a; (a; a@))(x, y) 
and ((a;a);a@)(x,y) intuitively define different graphs due to the nestings 
(see Figure 3). If we introduce the flattening axiom flat, in the algebra, 
instead, the two former terms are identified, and intuitively correspond to 
the normal form (vw, w2)(a(x, w1) | a(wi, we) | a(we, y)) (see Figure 3). 


The above example illustrates the two roles of the nesting operator: as 
a way to enclose a graph and as a sort of typed interface to enable disciplined 
graph compositions. The presence of flattening axioms makes the first role 
immaterial. The example also illustrates how graphical encodings of existing 
(algebraic) languages are defined and exploited: the main issue is to see the 
constructors of the original language as derived operators of the graph algebra. 
Note that this enables the use of term rewrite techniques at the level of the 
original language. Consider for instance the term rewrite rule X;Y => Y;X 
for the above example, where X,Y : A. With just one rule we are capturing 
all the possible ways to permute two arbitrary connected subsequences (the 
rule is applicable in any larger term and under any substitution of X and Y 
by terms of type A). Or else, consider proving by structural induction that 
the obtained graphs are all connected sequences. Such simplicity cannot be 
achieved easily with ordinary set-theoretic presentations of graphs. 
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Another kind of axioms that may be useful to include in the structural 
congruence are extrusion axioms. It is worth to mention that the extrusion 
axiom was not presented in [4] since it was not needed for the examples 
there, while in [5] extrusion for all design labels was considered as part of 
the structural congruence as it was used in all the examples. To the contrary 
we see here examples where extrusion is needed for some labels only. 


Definition 7 (extrusion axiom) An extrusion axiom extr for some de- 
sign label L is of the form L|(vy)G](z) = (vy) L[G](z), where y ¢ ||. 


Extrusion axioms are needed to handle those calculi in which name re- 
striction is not localised inside a scope or it is allowed to cross the boundaries 
of some scopes, as it happens for some process calculi. Indeed, we see in § 7 
how these axioms are used to capture extrusion for some scope constructs. 

Note that the addition of axiom flat, also implies the validity of axiom 
extr_, hence in the following we assume that for each label L either exactly 
one or none of the axioms flat. and extr, is present. 


3. A model of hierarchical graphs 


We first present the set of plain graphs and graph layers, upon which we 
build our novel notion of hierarchical graphs. In the following, NV and 
A = Ag & Ap denote the universe of nodes and edges, respectively, for A 
indexed over the alphabets € and D. 


Definition 8 (graph layer) The set £ of graph layers is the set of tuples 
G = (Nog, Ec, ta, Fe) where Eg C A is a (finite) set of edges, Ng CN a 
(finite) set of nodes, tg: Eg + N& a tentacle function, and Fg C N@ a set 
of free nodes. The set P of plain graphs contains those graph layers G such 
that Eg C Ag. 


Thus, we just equipped the standard notion of hypergraph with a chosen 
set of free nodes, intuitively denoting those nodes that are available to the 
environment, mimicking free names of our algebra. Next, we build the set of 
hierarchical graphs. 


Definition 9 (hierarchical graph) The set H of hierarchical graphs is 
the smallest set? containing the tuples G = (Ng, Ea, ta, ia, £a,7c, Fa) where 


° Taking the least set we exclude that cyclic dependencies can arise from containment, 
like a graph being embedded in one of its edges. 
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1. (Ne, Ea, ta, Fa) is a graph layer; 


2. ig: EgN Ap > H is an embedding function (we say that ig(e) is the 
inner graph of e€ Eg Ap); 


3. 4g: EGNAp > N* is an exposure function (xg(e) tells which nodes 
of ia(e) are exposed and in which order), such that for alle € EgNAp 


(a) |we(e)] © Nigre) \ Figte), te. free nodes of inner graphs are not 
exposed 


(b) |xa(e)| = |ta(e)|, i.e. exposure and tentacle functions have the 
same arity 


(c) Vn,m € N we have that xe(e)[n] = xe(e)|[m] iff te(e)[n] = 
tg(e)|m], i.e. it is not possible to expose a node twice without 
attaching it to the same external node (and vice versa); 


4.71¢ : EgnN Ap — (Ne & N) is a renaming function (rg(e) tells 
how nodes Ng are named in ig(e)), such that for alle € EgN Ap 
ra(e)(Ne) = Fig(e), ie. the nodes of the graph are (after renaming) 
the free nodes of inner layers. 


Thus, a hierarchical graph G is either a plain graph, or it is equipped 
with a function associating to each edge in EgM Ap another graph. The 
tuple (Ng, Ec, tg, ig) recalls the layered model of hierarchical graphs of [14], 
with ig being the function that embeds a graph (of a lower layer) inside 
an edge. Node sharing is introduced by the graph component Fag and the 
renaming function rg, inspired by the graphs with (cospan-based) interfaces 
of [18]. In practice, we shall often assume that rg(e) (when defined) is the 
ordinary inclusion: the general case is useful to embedd and reuse graphs 
without renaming their nodes. 

Recalling the programming metaphor, intuitively each hierarchical edge 
e can be seen as a procedure declaration: tg(e) are the actual arguments, 
xg(e) the formal parameters, Fj,,(-) the global variables for which rg(e) acts 
as aliasing, and Nj ,(¢) \ (Fig(e) U lve (e)]) the local variables. 


Example 3. Consider the last term of Example 1 and its informal graphical 
representation on Figure 1 (right). Its actual interpretation as a hierarchical 


4We shall not put any emphasis on the typing of the graph, but clearly if the set of 
nodes is many sorted an additional requirement should force the exposure and tentacle 
functions to agree on the node types. 
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x(e1)[1] 
u 
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x(e2)[2] 


1(e2)[2] 


Figure 4: A hierarchical graph (left) and its simplified representation (right) 


graph appears in Figure 4 (left) decorated with the most relevant annotations 
(the tentacle, exposition and renaming functions for the two hierarchical 
edges). As witnessed by Figure 4 (right), we can introduce convenient 
shorthands, such as dotted lines for mapping parameters, node-sharing 
represented by unique nodes and tentacles crossing the hierarchy levels, 
dropping the order of tentacles in favour of graphical decorations (missing 
or different heads and tails) to get a simplified notation (reminiscent of 
Figure 2 (right)) that still retains all the relevant information. Note that 
such a simplified representation is very close to the informal notation of 
terms of our graph algebra shown in Figure 1. 


These examples give an intuition about how our model of hierarchical 
graphs works and the comparison with the informal representation suggest 
how they could be used to obtain an intuitive, clear visualisation. The 
examples should also highlight that the algebra defined in § 2 is providing 
a simple syntax that hides the complexities of hierarchical structures, as it 
occurs in our model of hierarchical graphs. The syntax can then be used in 
definitions, proofs and transformations in a much more friendly way than 
would be the case when working directly with actual graphs. 

In the rest of the section we explain how such graphs are obtained 
out of terms, but first we have to fix some notation and concepts. In the 
following, we shall just use graph in place of hierarchical graph. Note that 
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the embedding structure forms a directed acyclic graph, whose unfolding 
we call embedding tree. The leaves of the embedding tree are actually plain 
graphs. The height (resp. depth or layer) of a graph is the height (resp. 
depth) of its embedding tree. In the following, H denotes both the set of all 
such graphs or the category having such graphs as objects and the following 
graph morphisms as arrows. 


Definition 10 (graph morphism) Let G, H be graphs such that Fe C 
Fy. A graph morphism ¢: G>H is a tuple (6n, ¢z,¢1) where On : NG > 
Ny is a node morphism, dg: Eg > Ex an edge morphism, and ¢, = {¢° | 
e€ Ean Ap} a family of graph morphisms $° : ig(e)>in(¢g(e)) such that? 


1. Ve € Ec, én(ta(e)) = ta(¢z(e)), te. the tentacle function is re- 
spected; 


2. Vee Eqn Ap, oh (ra(e)) = tH(op(e)), te. the exposure function is 
respected; 


3. Ve € Eg Ap, Yn € Na, oy (rale)(n)) = ru(bz(e))(on(n)), te. the 
renaming function is respected; 


4. Yn € Fe, on(n) =n, i.e. the free nodes are preserved. 


In the above definition we abuse the notation by lifting morphisms to 
sets and vectors. It is worth to observe that our morphisms are not the most 
general one can define. In particular, using the terminology of [24] they 
are root-level in the sense that they represent a layer-by-layer embedding. 
More general notions are the deep morphisms of [24] which embed a graph 
G into some lower graph of the embedding tree of a graph H. However, 
for the purpose of this paper our morphisms are enough: we can easily 
define isomorphisms and the category obtained has all pushouts for spans of 
injective morphisms, which we use to define a composition operator and which 
prepare the ground for some basic pushout-based graph transformations. 


Proposition 2 (pushouts [13]) Let ¢:G—> H, ~:G-—I be injective 
graph morphisms. Then, the pushout of @ and w always exists. 


Here, injectiveness simply means that the underlying functions on the 
nodes and edges of the graph layers are also injective. The proof is then 
easy, Since no item coalescing is forced by the span of arrows, and all the 
auxiliary functions (exposure, etc.) are defined in the expected way. 


> Again, many-sorted alphabets would require the morphisms to be type consistent. 
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4 Encoding into graphs. 


We describe here the algebraic characterisation of graphs. We start presenting 
a few auxiliary definitions. In the following we denote the empty function 
with 1, distinguishing it from the empty set 0. 


Definition 11 Let N ¢€ N be a subset of the nodes of graph G. Then, 
N is the hierarchical graph given by the tuple (N,@,1,1,1,1,N), and 
inn : N > G is the obviously defined, injective graph morphism. 


Graph composition is always defined, thanks to Proposition 2. 


Definition 12 (graph composition) Let G, H be graphs. Then, the com- 
position of G and H, denoted G@ H, is the (codomain of the) pushout of 
the span Fa N Fy 3 G and Fen Fy - A. 


We are now ready to see how terms of our algebra can be interpreted 
as graphs. We assume that subscripts refer to the corresponding encoded 
graph. For instance, [G] = (Ne, Ec, te, ig, rg, rc, Fe). 


Definition 13 (graph interpretation) The encoding [-], mapping well- 
formed terms into graphs, is the function inductively defined as 


z] = {a} [Mz] = (Lz), {e'},e’ 4 z, 1, 1,1, [z)) 
(G|H] = [G] ¢ [4H] (O] = (0,0, 1,1, +1, 1, 0) 
[v2)G] = (Ne, Ec, te,ic, 26,76, Fe \ {x}) 
[Z2[G\(7)] = (No, {e},e4 7,e4 [CG] @ [g],e Fe 4 tdw, (Fe \ [z)) ULy]) 


where e' € Ag ande € Ap. 


The encoding into (plain) graphs of the empty design, isolated nodes 
and single edges is trivial. Node restriction consists of removing the restricted 
node from the set of free nodes. The encoding of the parallel composition is 
as expected: a disjoint union of the corresponding hierarchical graphs up to 
common free nodes, plus a possible saturation of the sub-graphs with the 
nodes now appearing in the top graph layer. A hierarchical edge (last row) is 
basically a graph with a single edge (which is mapped to the corresponding 
body graph) and a copy of the free nodes of the body graph (properly 
mapped to the corresponding copies in the body), while adding the names 
|y| among the free ones. 

We say that two graphs G,H are isomorphic (denoted G ~ H) whenever 
there is an isomorphism between them. 
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We can now show that our encoding is sound and complete, meaning 
that equivalent terms are mapped to isomorphic graphs and vice versa. 


Theorem 1 Let G,, G2 be well-formed terms generated by the design algebra. 
Then, Gy =p G2 if and only if [Gi] ~ [Go]. 


Proof: The soundness is rather straightforward: it proceeds by showing 
that each axiom is preserved by the encoding. The result follows from 
standard properties of pushouts for axioms DA1—DA3 and axiom DAY and 
of set difference for axioms DA4—DA6. Alpha-renaming axioms DA7—DA8 
are dealt with by graph isomorphism, thanks to the side conditions in 
Definition 4 that guarantee type preservation and avoid node coalescing. 
The most interesting axiom is therefore DA10, for which we detail the proof. 
Below we let [G] = (Ne, Ec, te, ic, tc, Fe), = (Fe \ |%|) U [yg] and 
NY = Net. 


= 
xR 


| Le[G](y)] 
[z] © [Zz[G](y)] 
[z] 6 (N’, fe},e ,e [G] S$ [LZJ],e Ze tidy, N’) 
(N” fel,en yer [2] 6[G] 6 [|9J],eR Zeb idyy, N”) 
(N" fef,evn ye [z|G] O[lyl],er Ze idyn, N”) 
[Lz[z | G](%)] 

The crucial step is the one where graph isomorphism ~ is exploited: 
the passage is valid, because z is a free name and therefore it is certainly 
preserved by the morphisms induced from the pushout at the top-level. 

The completeness proof is more involved. The proof sketch we present 
here is modelled after the one for [11, Lemma 22], and it proceeds by exploit- 
ing the normal form for well-formed terms of our algebra (see Definition 5). 

Now, let G, and Gz be two terms such that G; #p Gz but they are 
mapped to isomorphic graphs. Without loss of generality, we assume that 
the terms are in normal form and that the sum of their depths is the 
minimal value for which two such terms can be found. The isomorphism 
@: [Gi] > [Ge] ensures that at the top level the graphs [G,] and [G2] have 
the same number of nodes and exactly the same free nodes. Moreover it 
establishes a bijective correspondence between the edges in |G] and those 
in [G2], so that e and ¢(e) must carry the same label and their tentacle 
functions must commute w.r.t. @. Thus, G; and G2 must have the shape 


Hoi l@ ol 
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and 

Go = (vai)... (van) (4) 12h Ty) LILES [GY] w%) ) 
for suitable G/ and G/’ in normal forms such that Gi ~ GY. Since G1 #p Go, 
there must be some index k such that Gi, €p Gi, but this contradicts the 
existence of G; and Gg, because the sum of the depths of Gi, and Gj is 
clearly strictly less than that of G; and Go. 


Moreover, our encoding is surjective, i.e. every graph can be denoted 
by a term of the algebra. 


Proposition 3 Let G be a graph. Then, there exists a well-formed term G 
generated by the design algebra such that G is isomorphic to [G]. 


Proof: The proof proceeds by induction on the height of the embedding 
tree of a graph. 

If the height is 0, i.e. if the graph is flat, the proof is quite straight- 
forward. Indeed, let us consider a graph (N,E,1,1,1,F). Now, the 
underlying graph without interfaces can be considered as the union of (pos- 
sibly connected) edges {l)(%1)...l,(Z,)} and isolated nodes {y1,...,Ym}, 
additionally verifying F C N =U,_, ,[%:| U{yi,---, Ym}. Thus, the as- 
sociated term of the algebra is given by (vz1)...(V2n)(N | Uj=1...ni(%i)) 
for {z,...2} = N\ F. Performing the parallel composition by means of 
pushouts implements the sharing of nodes among the edges of the graph. 

The induction step is similar. Let us assume that the correspondence 
holds for each graph in the lower layers. Moreover, note that each one of 
those graphs contains as free nodes all those nodes occurring at the top-most 
layer. And since also the top-most layer of the graph can be modeled as the 
union of (possibly connected) edges and isolated nodes, the required term is 
obtained by inserting all the terms corresponding to the graphs in the lower 
layers in the right position of the design at the top level. 


If either flattening or extrusion axioms are present, then the encoding 
must be changed to “dissolve” certain embeddings and edges. To this aim, 
we need to distinguish three different cases in the encoding of designs: the 
first rule works exactly as before, when neither flattening nor extrusion 
axioms are actually present, while the other two are shown below 


[Lz[G](9)] 
[LzlG](9)] 


(N, {e},eH ¥,eH [G] 4 [vl,e +B,ersidn,N’) — if extr, €=p 
[G{’/s}] if flat, €=p 
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where e: Ap and N, N’ stand for (Ng \ |%]) U |y| and (Fe \ [z]) U Ly], 
respectively. 

If a flattening axiom occurs, there is no associated edge: the encoding 
of Lz|G](z) is the same as the one of G, after suitably renaming the nodes. 
In other words, the axiom is interpreted directionally, and the associated 
enclosing edge has no occurrence of the flattened design. Likewise, if an 
extrusion axiom occurs, the structural congruence is interpreted directionally, 
and the restriction operators float to the top. Indeed, now all the names of 
G appears in Lz|G](y), except those in |%| (exposed as those in |7|). 

Soundness and completeness still hold. However, in the presence of 
extruding axioms the encoding is not surjective, unless we impose some 
well-formedness criteria over embedding edges to require that all the nodes 
of a lower layer that are not exposed do occur in the higher one when the 
embedding exploits an arc with label L for which the extruding axiom holds. 


5 A calculus with flat structure and communica- 
tion: the z-calculus 


This section offers a first instance of our approach by presenting an encoding 
of the finitary fragment of the z-calculus [22]. We have chosen this example 
due to its popularity and simplicity. Moreover, as a graphical encoding 
already exists [18], we can compare the two proposals and evaluate the 
convenience of exploiting our graph algebra in the definition of the encoding 
and, most importantly, on its proof of correctness. Familiarity with the 
calculus would be helpful but our presentation should suffice for our aims. 


5.1 The z-calculus 


Definition 14 (z-calculus syntax) Let U be a set of names. The set P 
of (finite) processes is the set of terms of sort P generated by the grammar 


PO 2, 20). |) Aes) Awaye™ |) PP 
M 3:= M+M | awP 


where m € {7} U {a(b),ab| a,b EU} andaelu. 


In the definition above, terms generated by P and M are called process 
and sequential processes (or summations), respectively. We recall that rT, 
a(b) and @b are called, respectively, the silent prefix, the input prefix and the 
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output prefix; moreover, the input prefix a(b).P and the restriction operator 
(vb)P act as binders for b with scope P. We denote by n(z) the names 
appearing in 7, i.e. n(r) = 9 and n(a(b)) = n(ab) = {a,b}. The standard 
definition for the set of free names of a process P, denoted by fn(P), is 
assumed. Similarly for a-convertibility, with respect to the binders: the 
name b is bound in both a(b).P and (vb)P, and it can be freely a-converted. 


Example 4. Consider the following process agent * (vsecret) private secret 


which represents an agent ready to send a fresh name secret over the free 
channel private. Now, consider gossiper “ (vmsg) private(confidential). 
(confidential msg + public confidential), which represents an agent ready 
to read a name confidential from the free channel private, after which a new 
message msg over the confidential channel or the confidential name over 
the free channel public can be sent. Note that fn(agent) = {private}, while 
{n(gossiper) = {private, public}. The process sys “ (vprivate)(agent | 
gossiper) represents a system in which the former two agents are put 
in parallel and communicate through the local channel private (in fact 


fn(sys) = {public}). 
A congruence relation captures structural equivalences like the commu- 


tativity and associativity of parallel composition or the a-renaming of bound 
names. The structural congruence for the 7-calculus is defined as follows. 


Definition 15 (z-calculus structural congruence) The structural con- 
gruence for processes =, is the least congruence satisfying 


PQS 07? (rA1) 
P|(Q|R) = (P|Q)|R (xA2) 
P|O = P (7A3) 
M+N = N+M (7A4) 
M+(N+0O) = (M+N)+0O (7A5) 
(va)O = O (7A6) 
(va)(vb)P = (vb)(va)P (7A7) 
P| (vaQ = (va(P|Q) fag fn(P) (xA8) 
w.(va)P+M = (va)\(7.P+M) ifag fn(M)Un(r) (7A9) 
(va)P = (vb)P{°/a} ifb¢ fn(P) (7A10) 
c(a).P = c(b).P{°/a} ifb ¢ fn(P) (7A11) 


Axiom 7A9 is not standard but is sometimes included in the structural 
congruence in order to consider restriction as some sort of declaration 
(conversely, the absence of the axiom means that restriction is some sort 
of run-time fresh name generation). In our case we preferred to consider it 


71 


Peweeweweee ee 


Figure 5: Type graph for the z-calculus. 


since it yields a more clear graphical representation. However, dealing with 
the absence of the axiom is also standard as explained in [18]. 


5.2 Encoding the z-calculus 


We start presenting (cf. Figure 5) the graph items that we shall use. Basically, 
we have design sorts (labels of D) corresponding to those present in the 
m-calculus, i.e. the syntactical categories for processes (P) and summations 
(MM) and the sort of names (/) to which we add some auxiliary ones. More 
precisely, the node sorts we consider are e, > and o that intuitively correspond 
to control points of parallel and sequential processes, and channel names, 
respectively. Design labels P and M model designs representing parallel 
and sequential processes and they are used to ensure the well-formedness of 
graphs. To achieve this we introduce the flattening axioms flatp and flaty, 
which in the visualisation is represented by using dotted boxes. Both design 
types P and M have a unique tentacle denoted with a plain line, which is 
to be attached to a control point of the corresponding type. 

Edge labels of (€) are 7, in, out and c that respectively correspond 
to silent actions, inputs, outputs and explicit casting from sequential to 
parallel processes (to be explained later). Such labels are needed because 
we consider action prefixes as being material in the encoding, i.e. we use 
graph items to represent them. On the other hand, parallel composition 
and non-deterministic choice are considered as being immaterial, i.e. they 
are interpreted as graph operations that do not introduce any graph item. 
Intuitively, this reflects the axioms associated to the operations. We use a 
plain line and an arrow for the entry and exit control points of actions and the 
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Figure 6: Graphical interpretation for the 7-calculus (processes). 


EU xy)QiP SM: xy. TP SM: 


Necceeeceececeessseessceeseseessseeseseees 


Figure 7: Graphical interpretation for the 7-calculus (summations). 


explicit cast. Channel and message arguments of communication operations 
are denoted by arrows ended by empty and filled diamonds, respectively. 
We are ready to define the graphical encoding of the 7-calculus. We 
define it in terms of derived operators, instead of using a denotational 
encoding, to stress the similarities and common sorting between the calculus 
and our graph algebra. We find convenient to introduce a cast operator from 
M to P (as in [18]) which allows to distinguish between the two sorts of 
control points where different forms of branching apply (parallel and choice). 


Definition 16 (z-calculus encoding) The interpretation of the operators 
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of the m-calculus over the design algebra is given by 


0 = Ppl 
(vz)R |= P,[(vx)R(p)] 
Q|R = PilQ(p)|R(p)] 
(PN  Pi(vd(clp.d)|N(d))) 
N+O © M,{N(d)|O(d)] 


[ 
t.Q &  Mal(vp)(r(d,p)|Q(p))] 
ry.Q = Mal(vp)(out(d, x,y, p)|Q(p))] 
x(y).Q = Mal(vp,y)(in(d, x,y, p)|Q(p))] 


together with axioms flatp and flat. 


The graphical representation of the above definition can be found in 
Figures 6 and 7. We remark only the most relevant aspects. Casting from 
sequential processes into parallel ones must be done explicitly to distinguish 
summations from processes (as in [18]). This is done by connecting via 
prefixing the graph of a sequential process with a c-labelled edge. The 
parallel composition of two processes @ and R amounts to embed the 
respective graphs of Q and R in P-typed edges attached to the same e-typed 
node. Note that our informal visualisation fuses the tentacles of the designs 
corresponding to the two processes that are put in parallel and the resulting 
one (their composition). This results in a visually appealing representation. 
The presence of the flattening axiom flatp will dissolve the embedding and 
as a result the corresponding graphs will be at the same level. Processes in 
parallel thus become graphs departing from the same control point. Another 
relevant part of the encoding regards the input prefix, since it involves a 
free and a bound name, and a process. We see that the encoding of x(y).Q 
consists of an arc representing the input operation which is attached to the 
main o-typed control point and its e-typed continuation where the graph 
corresponding to @ is plugged. The edge representing the input action 
is connected to a free and a bound node representing the communication 
channel x and the argument channel y, respectively. In our visualisation, 
variable graph items are denoted by labelling them with variable names 
(such as x and y in the encoding of action prefixes). 


Example 5. Recall the process of Example 4. Its graphical encoding is 
depicted on Figure 8. The figure clearly represents the two different forms 
of branching: the parallel composition of both the agent and the gossiper 
processes and the choice of the gossiper after reading the secret channel. 
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secret 


i <0 public 


Figure 8: Graphical encoding of a process. 


Note how the sort of edges disambiguates the form of branching and how 
explicit casting is used to change the control point sort. The sharing of 
names (like channel private) where processes synchronise is also evident. It 
is also worth noting how the graphical representation distinguishes global 
and restricted names: the former are depicted as lying outside the P-labeled 
frame and the latter inside it. 


The proposed encoding is sound and complete, i.e. two processes are 
structurally congruent if and only if they are mapped to isomorphic graphs. 
As a matter of fact, the graphs obtained are roughly the same as those 
proposed in the encoding of [18] for the finite fragment of the calculus. In 
addition, our encoding precisely characterises in a compact and elegant way 
the set of all graphs that correspond to z-calculus processes, namely those 
generated by the derived algebra (which is implicitly given by the encoding). 


Proposition 4 (correctness of 7-calculus encoding) For any P,Q € 


P, P=, Q iff P=p Q. 


Proof: The graph algebra provides a handy, elegant notation to carry 
out the proof of soundness in a purely algebraic form. For the purpose 
of the proof it turns out to be convenient to use a functional notation for 
the encoding. So we let [P] denote the interpretation of P according to 
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Definition 16. Now, all we have to show is that the structural axioms of the 
m-calculus identify equivalent designs. More precisely, we have to show that 
for each axiom P = Q in =, we have [P] =p [Q]. This is enough since the 
proof of P = Q just applies the axioms of =,, plus additionally the closure 
with respect to the operators of the calculus, and the latter component is 
satisfied by definition. 

Consider axiom 7Al1, i.e. Q| R= R|Q. We have 


[Q | R] 

P,[Q(p)|R(p)] (Definition 16) 
P,[R(p)|Q(p)] (Axiom DA1) 
[2 | Q] (Definition 16) 


The proof for the remaining axioms is similar. For instance, the proof for 
axioms 7A2—7 A6 regarding commutativity, associativity and neutral element 
for parallel and non-deterministic composition of processes is straightforward 
(as the above one of 7A1) as we have similar axioms for parallel composition 
of graphs in =p. The same reasoning can be applied for a-conversion and 
for axioms 7A7 — 7A9 regarding the restriction operator. 

As the encoding maps processes to essentially flat graphs, the proof of 
completeness could be carried out just exploiting the result in [18]. However, 
we provide here a direct proof that exploits algebraic reasoning: we shall use 
the normal form of 7-calculus processes to show that P #, Q => [P] #p 
[Q]. The standard normal form of processes is (v%)S1 | --- | Sn, where 
ZC fn(S; |---| S,) and each S; is of the form 4 Aj,j-Qi,j with each Q;,; 
again in normal form, but with no occurrence of the restriction operator: 
intuitively, all restrictions appear as early as possible in the term and what 
follows is the parallel composition of non-deterministic choices of processes 
Qj; in normal form, all prefixed with an action A; ;. 

Now suppose that we are given two processes Q and R that are not 
structurally equivalent, i.e. we have Q 4, R. We analyse all possibilities 
for this to occur and show that in all cases it follows [Q] #p | R]. Roughly, 
either the two processes have the same outermost shape or they do not. 
If they have the same outermost shape, then they must differ for some 
subterms and then we can exploit inductive hypothesis to assume that 
such subterms correspond to non isomorphic graphs and then conclude that 
[Q] 4p [R] (the base case for induction is vacuous, as both processes would 
be 0). Therefore we are left to show that if Q and R have different outermost 
shapes their encodings can be distinguished. 
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We start with the simple case where the topmost restriction differ. 
Without loss of generality suppose that Q “ (vz)Q! and R © (vx)(vz)R’, 
with x in fn(R’) but not in Z. We have [Q] = P,[(v)[Q’](p)] and [R] = 
P,|(vx)(vz)R’'] (p)|: they cannot be identified by =p since x is clearly part 
of fn([.R’]) and we know that =p respects free names. 

Consider now that both top-restrictions are equivalent but the number of 
sequential processes in the topmost parallel differs. Without loss of generality 
suppose that Q “& (vz%)(S1 |---| Sp) and R& (vz%)(T, |---| Tr | Trt): 
We have [Q] = Pp[(vx)([Si] (p) |---| [Sn] (p))] and [R] = Ppl(vx)([Zi] (py) 
--+| [Tp] (p) | [Tn4i])(p))]: they cannot be equivalent terms since each [S; 
(being of the form 0", Aj,j-Qi,;) contributes with at least one distinguished 
tentacle outgoing from node p, and similarly for each [T;]. 

The rest of the cases follow a similar reasoning. 


6 A calculus with nested structure and no com- 
munication: Sagas 


We consider in this section the nested sagas with programmable compensations 
of [8], a calculus for long running transactions. 


6.1 Sagas 


The calculus (which we shall call just sagas) aims at providing a core language 
for composing activities into sagas (atomic transactions) or processes (non- 
atomic compensable activities). Formally, the syntax of sagas is as follows. 


Definition 17 (sagas syntax) Let A be a set of atomic activities. The 
sets S of sagas and P of compensable processes are the sets of terms of sorts 
S and P, respectively, generated by the grammar below 


So =. a. Ph (sagas) 
P oos= S%S | PP | P| P « (processes) 


where a € A. 
For the sake of simplicity, with respect to the original presentation we 


neglect the introduction of nil processes and non-compensable activities. A 
saga is an atomic activity or an arbitrarily complex transaction built out 
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from a compensable process. A basic process A%B is built by declaring 
a saga A as an ordinary flow and equipping it with another saga B as its 
compensation flow. The calculus provides also primitives for composing 
processes in sequence and parallel (split&join). 


Example 6. Consider the following example, inspired from [8] of the saga 
{acceptOrder%refuseOrder ; ( updateCredit%refundOrder | prepareOrder% 
updateStock) | {addPoints%skip}%{substractPoints%skip})}. The saga is 
used for modelling a scenario for dealing with purchase orders. The initial 
activity (acceptOrder) handles requests from clients. Next three processes 
are executed in parallel. The first one (updateCredit) charges the amount 
of the order to the balance of the client. The second one (prepareOrder) 
handles the packaging of the order and updates the stock. The third one 
deals with point reward activities: it is formed by a nested saga to update 
the reward balance of a user (part of a program for accumulating points 
with purchases). All the activities have a corresponding compensation to 
undo the actions performed by the successful completion of the activities. 
Note that activity addPoints has a vacuous compensation (skip), to avoid 
aborting the purchase when the point accumulation activity aborts due to 
absence of a reward account (idem for activity substractPoints). 


The structural congruence for sagas captures the associativity of se- 


quential and parallel composition and the commutativity of the latter. 


Definition 18 (sagas structural congruence) The structural congruence 
for sagas =g is the least congruence satisfying 


PGE) = (sO) ae (sA1) 
POS) OP (sA2) 
P|\(Q|R) = (P|Q)|R  (sA3) 


where P,Q,REP 


6.2. Encoding sagas 


As in the encoding of the z-calculus the first idea is to interpret syntactical 
categories of the calculus as design sorts (i.e. labels in D) and constructors as 
derived operators over our graph algebra. In this case we decide to introduce 
design labels N for Nested sagas, S for Sagas, P for compensable Pairs and 
T (Transactions) for compensable processes. Note that N is a subsort of S, 
while P is a subsort for JT. Figure 9 illustrates our type graph. We have 
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Figure 10: Graphical interpretation for sagas. 


chosen an arity of four tentacles for pairs and transactions to denote the 
following control points: entry of the ordinary flow (incoming filled arrow), 
exit of the ordinary flow (outgoing filled arrow), entry of the compensation 
flow (incoming empty arrow) and exit of the compensation flow (outgoing 
empty arrow). Activities and sagas are represented by edges with only two 
tentacles (for the ordinary flow). Note that we have actually a family of 
activity edges, one for each activity in A, i.e. A is our designed set of edge 
labels €. Because S' and T are just used for composition we introduce the 
flattening axioms flats and flatr. 
The encoding is formally defined as follows (c.f. Figure 10). 


Definition 19 (sagas encoding) The interpretation of the sagas opera- 
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Figure 11: Graphical encoding of a saga 


tors over the design algebra is given by 


a = Spqlatp,q)| 
{Q} = Npgl(vt)Q(p, 4, #,9)] 
AGB = PyaeslA@,g) | BOs 
Q;R = Tharel(vu,v)(Q(p,u,v,s) | Riu,@,7r,v))] 
Q|R = Tp,q,r,s|Q(p, 4,7; 8) | R(p, 4,7, 8)] 


together with axiom flats and flaty. 


Note again that some primitives of the calculus are considered as 
material in the encoding, i.e. represented by graph items like edges. This 
is the case of activities (as it was the case for actions in the 7-calculus) as 
shown in Figure 9 and also of compensable pairs and nested sagas. Instead, 
sequencing and parallel composition (see Figure 10) are immaterial and their 
associated axioms are captured by the flattening axioms. 


Example 7. Figure 11 depicts the graphical representation of the saga 
introduced in Example 6. It is worth to note the nesting of sagas which 
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decouples the entry of the compensation flow and redirects the exit flow 
into the ordinary flow. Also note the two uses of nesting: immaterial for 
parallel and sequential composition and material for basic processes and 
nested transactions. 


The proposed encoding is sound and complete, i.e. equivalent processes 
and sagas are mapped into isomorphic graphs. 


Proposition 5 (correctness of sagas encoding) For any Q,R € P we 
have Q =s R iff Q =p R. 


Proof: As in the proof of the encoding of the z-calculus we show 
each direction of the equivalence separately, starting with soundness, i.e. 
Q=3s R>Q=p R. Again, [-] denotes the interpretation according to 
Definition 19 and we just need to show that the structural axioms of the 
sagas do only identify equivalent designs. 
Consider axiom sA1, ie. P;(Q; R) = (P;Q); R. We have 
P;(Q; R) 


Tp,aris VU, v) P(p, u,v, 8) | (Q; R)(u, qT, v))] 
(Definition 19 


( 
) 

= Th,qr,s eg aoe | Tr.q.r,v) (ve, v')(Q(u, u,v’, v) | Riu’, ¢,7,v’))))] 
( 


(Definition 19 
= Tp,a,r,s Vu, v) P(p, u,v, 8) | (vu',v')(Q(u, u’, v', v) | R(u',4q,7, v')))) 
(flatr) 
Tp,4,7,8 vu',v')(vu,v)((P(p, u, v, 8) | Q(u,u',v', v)) | R(u',4,7, v'))| 
(DA4,DA6,DA2) 
= Thq,r,s[(vu',v’)Tp,w’,v’,s) (vu, v)(P(p, u, v, 8) | Q(u,u’,v’, v))] | Ru’, ¢, 7, v’)] 


= Tha rs[(vu',v')((Q; R)(p,w',v', 8) | Ru’, g,7,0'))] 
Definition 19) 

P;Q);R 

Definition 19) 


III 
AAS 


The proofs for axioms sA2 and sA3 are also straightforward and similar 
to the above proof and those for the parallel axiom of the z-calculus. 

Now we prove completeness, ic. Q =3 R = Q =p R. The proof 
technique is analogous to the one seen for z-calculus, but with a slightly 
more complicated case to consider, which requires an original bit of reasoning 
and where the graph algebra can be exploited conveniently. We shall use 
the normal form of processes to show that Q #3 R => Q #p R. The normal 
form of a saga S is either a or {P} with P in normal form and the normal 
form of a compensable processes Q is either A%B or Q1;...;Qn (with n > 1 
and each Q; again in normal form, of course excluding the occurrence of 
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sequence operators on top) or Qi |---| Qn (with n > 1 and each Q; again 
in normal form, excluding the occurrence of parallel compositions on top). 

Now suppose that we are given two processes Q and R that are not 
structurally equivalent, i.e. we have Q 4g R. We analyse all possibilities for 
this to occur and show that in all the cases it follows [Q] #p [R]. If they 
have the same shape, then the proof can be easily carried out by inductive 
arguments. If they have different shapes, then we must analyse the possible 
combinations separately. 

We start with the simplest case for Q, i.e. Q = A%B. We have several 
cases in which R is not structurally equivalent to A%B. First, R can be of 
the form C%D with at least one of C and D being respectively different 
from A and B. Trivially A%B #p C%D. Another possibility for R is to 


be of the form R,;...;R,. This case is trivial since the interpretation of 
_;— introduces new nodes that cannot be removed by =p. Finally, R can be 
of the form R, |---| R, but note that each subprocess R; must have one 


of the forms we previously attempted for R (excluding the occurrence of 
parallel compositions on top). Hence, again they cannot be equivalent to 
A%B. We conclude that Q #p R. 

The difficult case is when one of the processes (say Q) has the shape 
of a sequential composition Q1;...;Qn (with n > 1) and the other pro- 
cess that of a parallel composition R; |---| Rm (with m > 1). In this 
case we can look more closely at the encoded terms. By structural in- 
duction it is easy to prove that both can be reduced to normal forms 
Tp,qr.s[(VU, V Pp, [Gi] (ai)] and Tp,q,r,s[((VU", V) Wi Py [Gi] (@;)]. If they in- 
volve a different number of P-edges or a different number of restrictions 
then we are done. If not, let us observe that the parallel and sequential 
flows underlying the graphical representation of such processes induce a 
partial order over the nodes and edges (e.g. along the direction of the ordi- 
nary flow). Obviously such order must be preserved by graph isomorphism. 
Then we can prove that Qi;...;Q, cannot be isomorphic to R; |---| Rn 
just by considering the fresh node wu introduced by [Q1;(Q2;...;Qn)] = 
Th,q,r,s (VU, Vv) ((Qi] (p, u, v, s) | [Q2;..-; Qn] (u,¢,7r, v))]: clearly the node u 
must follow any (topmost) P-labeled edge introduced by Qj, i.e. any (top- 
most) P-labeled edge with a tentacle attached to the node p. Now take 
[Rt | (Ro | ++ | Rm) = TrarsllRil(e.a,r,s) | [Re |---| Rdtpsasrs )) 
For [Q1; (Q2;..-;Qn)] and [Ri | (Re | --- | Rm)] to be isomorphic, the 
(image of) node wu should be introduced in [R, | (Rez |---| Rm)] either by 
[Ri] or by [Ro |---| Rp], but it is then evident that in any case there 


82 


would be P-labeled edges (at least one) provided by the other term which 
are attached directly to node p but are independent w.r.t. wu (at the al- 
gebraic level, this is made clear by the scoping rules for restricted names). 


7 A calculus with nested structures and commu- 
nication: CaSPiS 


This section presents the graphical representation of CaSPiS [1], a session- 
centered calculus. We have chosen this calculus since it represents a non- 
trivial example of the interplay between nesting and linking introduced by 
nested sessions, pipelines and communication. 


7.1 CaSPiS 


We briefly overview CaSPiS and we refer the interested readers to [1] for 
an exhaustive description. We remark that we focus here on the close- 
free fragment of the calculus and we present a slightly different syntax. 
Both decisions are for the sake of a convenient and clean presentation and 
constitute no limitation. 


Definition 20 (CaSPiS syntax) Let Z be a set of session names, S a set 
of service names and V a set of value names. The set P of processes is the 
set of terms of sort P generated by the grammar 

Pos. 0 | oP || PSO. |) way P | P| P| ALP 

A s | 3 | (?) | @&) | (wt 


wheresE€S,reEZ,ueV,weVUZ and «x is a value variable. 


Service definitions and invocations are written like input and output 
prefixes in CCS. Thus s.P defines a service s that can be invoked by s.Q. 
Synchronisation of s.P and 5.Q leads to the creation of a new session, 
identified by a fresh name r that can be viewed as a private, synchronous 
channel binding caller and callee. Since client and service may be far apart, 
a session naturally comes with two sides, written r> P, and rp Q, with r 
bound somewhere above them by (vr). Rules governing creation and scoping 
of sessions are based on those of the restriction operator in the a-calculus. 
Note that nested invocations to services yield separate sessions and thus 
hierarchies of nested sessions. 
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When two partner sides r> P and rp Q are deployed, intra-session 
communication is done via input and output actions (u) and (?a): values 
produced by P can be consumed by Q, and vice-versa. 

Values can be returned outside a session to the enclosing environment 
using the return operator (-)'. Return values can be consumed by other 
sessions sides, or used locally to invoke other services, to start new activities. 
Local consumption is achieved using the pipeline operator P > @. Here, a 
new instance of process Q is activated each time P emits a value that Q can 
consume. Notably, the new instance of Q runs within the same session as 
P > Q, not in a fresh one. 

Summarising all the above, each CaSPiS process can be thought of as 
running inside an environment providing it different means of communication: 
one channel for “standard” input, one channel for “standard” output and 
one channel for returning values one level up. 


Example 8. Consider the process: (va)(vb)(a>(Pi|b> P2)|a> P3|b> Py). This 
situation is typical: two sessions a and b have been created (as the result 
of two service invocations). Agent a> (P,|b> P2) participates to sessions 
a and b (assume P is the protocol for a and P2 the one for 6), with the b 
side nested in a. The counter-party protocols for a and b are P3 and P,, 
respectively, and they run separately. Notably, values returned one level up 
by P) can be consumed by P3. 


Example 9. As another illustrative, typical example consider processes 
P, > (P2 > P3), where each time P; emits a value an instance of (P2 > P3) 
is generated (with P3 being inactive). In any such instance, again, each 
value emitted by P2 yields a new instance of P3. 


Next, we present the structural congruence for CaSPiS processes. 


Definition 21 (CaSPiS structural congruence) The structural congru- 
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Figure 12: Type graph for CaSPisS. 


ence for CaSPiS processes =cC P x P is the least congruence satisfying 


P|(Q|R) = (P|Q)|R) CA1) 
P|Q = Q|P CA2) 
P|0 = P CA3) 

(vn)(vm)P = (vm)(vn)P CA4) 
(vn)O0 = 0 CA5) 

P| (un)Q = (yn\(P|Q) ifn g fn(P) (CAS) 
((un)Q)>P = (un\(Q>P)  ifng€fn(P) (CAT) 
A.(vn)P = (vn)A.P ifng A CA8) 
rb(vn)P = (vn)r>P ifnAr CAQ) 
(~n)P = (vVm)P{"/n} ifm fn(P) (CA10) 
(?2).P = (?y).P{Y¥/x} ify € fn(P)  (CA11) 


7.2 Encoding CaSPiS 


We first define the alphabets of edge labels and nodes. The set D of design 
labels is composed by P, S, D, I, F and T which respectively stand for 
Parallel processes, Sessions, service Definitions, service Invocations and pipes 
(From and To). The set € of edge labels contains def (service definition), 
inv (service invocation), in (input), out (output) and ret (return). The node 
sorts considered are o (channels), e (control points), * (service names, i.e. 
S) and O (values, ie. VY). We assume that for each session name r there is 
a corresponding channel node. 

The graphical representation of each design and edge label and their 
respective types can be found in Figure 12. For instance, designs of type 
P are all of the form P,46,[G] where p is the control point representing 
the process start of execution, ¢ is the returning channel, o is the output 
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channel and 7 is the input channel. Vice versa, designs of type D and J only 
expose the starting point of execution: they are not strictly necessary for 
the encoding, but can be very useful for visualisation purposes (they enclose 
the interaction protocols between service callers and callees). 


Definition 22 (CaSPiS encoding) The interpretation of CaSPiS opera- 
tors over the design algebra is given by 


= Pyt,0.il Hloli| De [ (vat, 0, #’) (def (p, s, )1Q(a,t', 0,7’) ] ] 
8.Q = Posto tlolé| py)[ (vat, 0,7) (inv(p, s,Q, t',0,7’))] ] 
= Po,t,0,i t|4| Ses) [Q(p, 0, r ey | ] 
Q>R Patol OF (vm) ( Fp,tm,2) [ Q(p, t, m, ¢) | 
| Tm) [ (va, t', 0") Rig, t’, o',m)] ) | 


Q\R = Py, t,0,1 Q(p, t, O ,1)|R(p, t, 0, i) | 
(vw)Q = Pp,t,0,i (vw)Q(p, t, 0, 2) 
0 = Pp, t,0,i pitloli | 
(u).Q = Ppro,il (vg)(out(p, g, u, 0)|Q(g, t, 0, ¢)) ] 
(uP = Phroal (va)(ret(p, ¢, u, t)|Q(q, t, 0, @))] 
(?22).P = Prtoil (vg, x)(in(p, g, x, )|Q(q, t, 0, #)) | 


together with axioms flatp, extrs, extrp, extr; and extrr. 


Part of the above definition is graphically represented in Figure 13. 
As in our previous examples we use different arrow types to denote the 
different (ordered, typed) tentacles of each edge. For example, for a design 
representing a process, an outgoing empty arrow represents its returning 
channel, an outgoing filled arrow its output channel, an incoming arrow its 
input channel and a plain arrow its control point. Again, arguments of an 
operation are denoted by annotating the corresponding graph item with a 
variable name. 

We introduce the only flattening axiom flatp into =p, and extrusion 
axioms extrs, extrp, extr, extre. Hence, edges of type P are immaterial 
(they can be considered as type annotations) and edges of type T define 
the only rigid hierarchy w.r.t. containment and name scoping. Other 
explicit hierarchies for edge containment are given by session nesting ($), 
service definition (D), service invocation (J) and pipelining (F’). The explicit 
embedding of sessions is not strictly necessary but it provides an intuitive 
visual representation. As usual, flattening processes allows for getting rid 
of the axioms for parallel composition (see [18]). The presence of extrusion 


86 


["Q/R:PP OE 


gp2ssrnnannaannsannsnedannnennensonnnnennnnns 


ire Q:RxP OB 
H el q « = 


a ——— 


Figure 13: Graphical interpretation for CaSPiS. 


axioms is motivated by the structural congruence axioms of CaSPiS, namely 
CA7 motivates extre, CA8 motivates both extrp and extr;, and CA9 motivates 
extrs. Note that we use dashed border for designs for which the extrusion 
axiom hold, while designs to be flattened are depicted with dashed borders. 

We explain just a few representative operations in detail. The session 
operations are interpreted as graph operations that wrap a process into a 
hierarchical S-typed graph which exposes the control point and a return 
channel. The first is associated to the control point of the resulting P-typed 
design, while the second is connected to its output channel. Note how session 
embedding hides the input and output channels of the embedded process: 
they are connected directly to the dedicated inter-communication node of 
the session. Another interesting operation is the pipeline. Here, the source 
and target processes of the pipeline are embedded in F’- and T-typed designs. 
It is worth noting how the input and output channels of each process are 
connected in a complementary way. The target process hides its control point 
and communication channels to denote that it is a non-active process. When 
the source of the pipe is ready to send a value, a copy of the target process 
is created and the control and channel nodes are connected as expected. A 
main difference w.r.t. the encoding we provided in [5], where the extrusion 
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axiom was considered to hold implicitly for all the edges, is that it is no 
longer necessary to retain the target-pipe operator parametric w.r.t. the 
free names of the enclosed process: this was necessary in [5] to keep distinct 
the (non-congruent) CaSPiS processes (vw)(Q > R) and Q > (vw)R when 
w € fn(R), but now their corresponding graphs are clearly distinct because 
in the former case (vw) appears above the T-typed edge, while in the latter 
case (vw) appears below the T-typed edge. 

Note that the encoding we adopted for the pipe operators actually 
suggests how to overcome the restriction to their finite fragment for those 
calculi we presented. Indeed, dealing with replication operators is by no 
means difficult, by exploiting the hierarchical structure. Of course, the 
axiom !P =!P | P would not hold, since the two terms would have different 
graphical encoding. However, it would suffice to introduce an unfolding 
operation, exactly as it happens for the encoding of pipe operators in CaSPiS. 


Example 10. Recall the typical session nesting situation presented in Exam- 
ple 8. Figure 14 depicts the graphical representation of our example, where 
the graph has been simplified (e.g. fusing nodes, removing isolated nodes 
and irrelevant tentacles) to focus on the main issues and make immediate the 
correspondence with the process term. The figure evidences the hierarchy 
introduced by session nesting and how it is crossed by intra-session commu- 
nication. It is also worth to note that the graph highlights the fact that the 
return channel of a nested session is pipelined into the output channel of 
the enclosing session. More precisely, the return channel of the immediate 
session where P» lives (i.e. 6) is connected to the output channel of the 
session containing it, i.e. the session channel a. 


Example 11. Recall the typical pipeline situation presented in Example 9. 
Its graphical representation is presented in Figure 15 and highlights various 
aspects of interest: the flow of the information via the input and output 
channels, the fact that P,; and P3 are inactive protocols, and the pipe 
nesting. Since > is not associative P, > (P2 > P3) and (P; > P:) > Ps are 
not structurally equivalent and this is faithfully reflected in the graphs. 


Once more, structural congruence amounts to design equivalence, i.e. 
equivalent processes are mapped into isomorphic graphs. 


Proposition 6 (correctness of CaSPiS encoding) For any Q,R ©« P 
we have P=c Q iff P =p Q. 
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Figure 14: Example of session nesting. 


Proof: Soundness of our encoding is reduced to show that for each axiom 
of =p (see Definition 21) we have that the left- and right-hand sides are 
interpreted as equivalent designs terms (according to =p). The proof for 
AC1 axioms for parallel and non-deterministic composition of processes in 
=c is straightforward as we have similar axioms for parallel composition of 
graphs in =p. A similar reasoning can be applied for the axioms regarding 
the order of name restrictions and the restriction of an empty process as we 
have equivalent axioms for node restriction in our design algebra. Let us 
now consider name extrusion for pipelines, services and actions. For axiom 
((vn)Q) > P = (vn)(Q > P) we observe that both sides are interpreted as 
P.p,t,i,o) (Vu) P(p, t, 7, 0) | Q(p,t, 7, 0)] (after flattening). The proof for name 
extrusion in sessions is similar but based on flattening and node extrusion 
for designs. Moving name restriction over action prefixes is similarly shown. 

The proof of completeness is along the line of the one provided for 
m-calculus: taken P 4c P’ we want to show that P #p P’. The normal form 
of CaSPiS processes is (VW) (IL Ri > Q; | ILjrj > Sj | Wy, Ax-M,), where each 
name in W is used at least once and each R;, Qi, Sj, My is also in normal 
form. If P and P’ have the same outermost shape then a simple induc- 
tive argument allows us to conclude that P #p P’. If they have different 
shapes, then we compare all the possibilities for this to happen to conclude 
that P #p P’. The comparison can be carried out similarly to the case of 
a-calculus: it is rather long because several cases must be considered, but 
not particularly difficult, because the encoding of each construct (besides 
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Figure 15: Example of pipelining. 


ordinary parallel composition and restriction) introduces an edge or a design 
that will not be flattened. O 


8 Related Work 


On the algebra of graphs. Our most direct source of inspiration is an 
approach for the reconfiguration of software architectures called Architectural 
Design Rewriting (ADR) [7], where architectures are encoded as terms of 
a particular graph algebra and reconfigurations are defined using standard 
term rewriting techniques. Our model of hierarchical graphs extends ADR 
graphs with node sharing and our algebra equips ADR with a suitable syntax. 
In particular, original ADR specifications can be seen as rewrite theories 
over a signature formed by derived operations defined by terms closed with 
respect to nodes. Our algebra, hence, inherits the characteristics of ADR, like 
the ability to nicely model style-preserving architectural reconfigurations [7]. 

Our syntax is inspired by the graph algebra proposed in [12]. The main 
idea there was to have constructors such as the empty graph, single edges, 
and parallel composition, and axioms like associativity and commutativity of 
such composition, in order to consider graphs up to isomorphism. Our richer 
design algebra includes hierarchical features and it is intended to enable a 
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more suitable representation for nominal calculi and their behaviour. 

Concerning set-theoretical formalisms, a direct reference is the frame- 
work for hierarchical graph transformation introduced in [14], of which our 
proposal can be considered an extension, dealing with free names, along the 
lines of so-called graphs with interfaces discussed in e.g. [18]. Indeed, as far 
as the mapping of processes is concerned, our solution follows closely [18]: 
the operators verifying the AC1 axioms basically disappear, while name 
restriction is dealt with by handling the interfaces. The encoding in [18] 
actually deals with flat graphs, which suffices for the finite fragment of the 
calculus. It is however noteworthy that, for the finite fragment, the two 
proposal coincide (process are mapped into isomorphic graphs by the two 
encodings). Other set-theoretical models of hierarchical graphs exist in the 
line of [14] (e.g. [10, 24]), but most of them lack an algebraic syntax and an 
associated set of axioms. 


On structured graphical models. Our approach is closely related to 
other formalisms that adopt a graphical representation of concurrent systems. 
Among those, we mention Synchronized Hyperedge Replacement (SHR) [17] 
and Bigraphical Reactive Systems (BRSs) [23]. 

The syntax of SHR is basically the one of [12], and it is subsumed by 
our algebra. Instead, the SHR approach focuses on the description of the 
operational behaviour of a system by a set of suitably labelled inference rules, 
which may involve complex synchronisations. We discuss later some of the 
rewriting features we intend to add to our approach. However, we can safely 
say that so far the concerns of the two proposals have been orthogonal. 

A bigraph is given by the superposition of two independent graphs, rep- 
resenting the locality and the connectivity structure of a system, respectively. 
In our terms, the first specifies the hierarchical structure of the system, while 
the second the naming topology. We believe that the two approaches have 
the same expressiveness, but argue for the better usability of our syntax and 
the small, intuitive set of axioms. Most importantly, BRSs have been mostly 
studied in connection with the relative pushout (RPO) technique [21], in 
order to distill a bisimilarity congruence from a set of rewrite rules. Our 
hierarchical graphs form a category with pushouts (indeed, possibly an 
adhesive one), and the DPO approach could be then lifted, as in [14]. Hence, 
they should be amenable to the borrowed context technique for distilling 
RPOs [16]. Our proposal thus fits in the standard graph-theoretic mold, 
while its slender syntax provide a simple intermediate language between 
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process calculi and their graphical models. Obviously, a possible integration 
is to use our syntax in order to characterise certain classes of bigraphs (e.g. 
pure bigraphs). Such an integration is suggested in [20], where the authors 
propose an algebraic syntax for denoting bigraphs and present type systems 
to characterise those terms that correspond to particular sub-classes. 


On rewriting mechanisms. Concerning the operational behaviour of 
our specifications, we would like to find a term rewriting-like technique 
for the reconfiguration of designs, and prove it compatible with a graph 
theoretical approach for rewriting hierarchical graphs. In other words, the 
correspondence holding between designs and hierarchical graphs should be 
lifted at the level of rewriting. The standard notions of term rewriting can 
be applied to our algebra of designs, simply considering sets of (name and 
design) variables. The corresponding technique for graph rewriting is more 
complex, since most of these techniques are eminently local, thus making it 
difficult to simulate the replication of an unspecified design. Nevertheless, 
since our category admits pushouts, a clear path is laid down by the use of 
rule schemata in the DPO approach, as in [14]. 


9 Conclusions 


We introduced a novel specification formalism based on a convenient algebra 
of hierarchical graphs: its features make it well-suited for the specification 
of systems with inherently hierarchical aspects and in particular, process 
calculi with notions of scopes and containments (like ambients, membranes, 
sessions and transactions). Some advantages of our approach are due to 
the graph algebra, whose syntax resembles standard algebraic specifications 
and, in particular, it is close to the syntax found in nominal calculi. The 
key point is to exploit the algebraic structure of both designs and graphs 
when proving properties of an encoding, facilitating proofs by structural 
induction. Indeed, the main result of the paper already guarantees that 
equivalent terms correspond to isomorphic graphs. 

Summing up, we believe that our approach can serve as an inspiration 
to equip well-known graphical models of communication with syntactical 
notations that facilitate the definition of intuitive and correct encodings of 
structured specifications, such as those obtained by using process calculi. 
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Applications. We are applying our technique to various languages, fo- 
cusing on process calculi exhibiting nested features. A preliminary proof 
of the flexibility of our approach for this purpose is found in [5]. Another 
focus is on metamodels: we plan to develop a technique to distill algebraic 
specifications out of MOF metamodels, along the lines of [3] but capturing 
composition as nesting. Some preliminary results in this direction are in [2]. 

An implementation of our approach and its integration in our prototyp- 
ical implementation of ADR [6] in the rewrite engine Maude is under current 
work. A preliminary version is available (at http://www.albertolluch. 
com/adr2graphs/) as a visualiser that considers our design algebra and 
encodings of process calculi like the 7-calculus and CaSPiS, among others. 
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